Enterprise Web Development Login Systems What we need to learn Authentication Users Authorisation Roles Access Rules Authentication Is the process of determining whether someone or something is, in fact, who they are declared to be. Are you who you say you are? Options Forms Based : Users will be required to log on using a web form. The site will use forms authentication to identify users according to user information that you store in a database. Windows Based: The site will use built-in Microsoft Windows authentication to identify users. Users with a valid Windows user name and password will be able to access your site. Authorisation The power or right to gain access to a resource. You are who you say you are, but do you have the rights to see this data? Users They are individuals who are allocated: a User Name or User ID A Password Security Question & Answer Roles Roles enable you to allow or deny groups of users authority to access specific folders in your Web site. For example, you might create roles such as “visitors," “members," or “administrator," each with different access to specific areas. Access Rules Access rules control access to the whole Web site or groups of pages. Rules can apply to specific users and roles, to all users, to anonymous users, or to some combination of these. Rules apply to subfolders. Documentation 5. Security Policy – Requirements Doc Define the access control policy of entities for types of users. Who can see and do what. 8. Security System – Design Doc Describe the Authentication and authorisation system you are putting in place to satisfy the policy you describe in requirements document section 5. How the Tool Works The Web Site Administration Tool manages security information in the following two places: The Web.config file The site provider database that is used to store user and group information. How the Tool Works Web.config Settings The Web.config settings that are managed through the Security tab are the <authorization>, <roleManager>, and <authentication> sections. Database When you use the default data provider, the Web Site Administration Tool creates entries in the default ASP.NET database. By default, the Web Site Administration Tool creates a database in the App_Data folder of the Web site. However, using the Provider tab, you can specify that application information for user accounts and roles be kept in another database (for example, retrieving role information from the Windows user database). A Process For each Role, you defined in section 5 Create at least one sub-directory Visitor_area MemberAdmin_area Adminonly_area Move files associated with each role to the appropriate sub-directory Create access rules by mapping roles onto the associated directories. The Tool Use the Users section of the Security tab to complete the following tasks: Create, edit, and delete registered user accounts for the Web site. View a list of all registered user accounts for the Web site. Change the authentication method that is used by the Web site. If you choose the “From the Internet” option for your authentication type, you are using forms-based authentication). If you choose the “From a local network” option as your authentication type, you using integrated Windows authentication and you cannot manage individual user accounts. The Tool If you change the authentication type, any user information that you have created will be lost. Additionally, access rules might no longer work in the way that you configured them. Generally, you should select an authentication type only when you first configure the Web site. Use the Roles section of the Security tab to group user accounts, which makes it easier to assign permissions (authorization). Use the Access Rules section of the Security tab to allow or deny access for specified pages to specific user accounts or to all user accounts that belong in a specified role. Typically, you use an access rule to restrict pages for some user accounts. Creating Users You can create and manage user accounts, if you have set the authentication type to From the Internet (forms authentication). To change authentication types, click Select authentication type. To create user accounts Click Create user, and then specify the following information. User Name Enter the name for the user account to create. Password Enter the password for User Name. Passwords are case sensitive. Confirm Password Re-enter Password. E-mail Enter the e-mail address for User Name. Creating Users The Web Site Administration Tool does not confirm whether the address that you enter is a valid e-mail address, but it does validate that the e-mail address conforms to the correct format for e-mail addresses. Security Question Enter a question to ask the user when they need to reset or recover their password. Security Answer Enter the answer to Security Question. Active User Select this option to enable this user account as an active (current) user of the site. If you do not select this option, the user information is stored in the database, but the user cannot log on to the Web site. Roles Select the roles for User Name. You create roles separately. For more information, see the next page. Create Roles To create a role On the Security tab, click Enable roles. Click Create or Manage roles. In the New role name box, enter a name for the role to create, such as Administrator, Member, or Guest, and then click Add Role. To add user accounts to roles On the Security tab, click Manage Users, and then click Edit User. Under Roles, select the roles for the user account. To create access rules On the Security tab, click Create access rules. Specify the following options: Select a directory for this rule You can choose to create a rule that applies to the whole site or to only a specific subdirectory. In the directory structure display for the Web site, select the directory to which the rule applies. Under Rule applies to, specify how to apply the rule. Role Select Role, and then in the list, select the name of the role to which the access rule applies. To create access rules cont… User Select User, and then enter the name of the user account to which the access rule applies. If you are using ASP.NET membership (Web site security is set to From the internet), you can also use the Search for users feature. All users Select this option to apply the rule to all visitors to the Web site. Note Be careful when you create a rule with the All users option. Because rules are applied in order, you can unintentionally create a rule that prevents all users from accessing a folder. To create access rules cont… Anonymous users Select this option to apply this rule to anonymous (non-registered) user accounts only. Typically, you choose the Anonymous users option to restrict (deny) access for users who are not logged on. Permission Select Allow to give access to the specified directory for the specified user account or role. Select Deny to not allow access to the specified directory for the specified user account or role. To create access rules cont… For example, to prevent users who are not logged on (anonymous) from viewing pages in a folder, click the folder, select Anonymous users, and then select Deny. Sometimes, you might have to create multiple rules for the same folder in order to establish the correct permissions. For example, you might create a rule that denies access to anonymous user accounts and a second rule that denies access to user accounts in the role of Guest. That way, only users who are logged on and in another group can access the folder.